You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Trend Micro Id It As Troj_agent.cbw Found In C:\windows\system32\wingdm32.dll

I have never been so bombarded as I have this past week with trojans, malware, viruses. You name it I seem to have picked it up. I've had a PC for 10 years now and I have NEVER seen anything like this. Over the years I have picked up a virus or 2 but nothing like this. In this past week "I THINK" have gotten rid of spyquake, those yazzles, toolbar888, vundo and several others that I have forgotten the name of. I have done everythng in your preparation guide and I finally have things under control somewhat and figured now was a good time to post the hijack log. Right now trend micro is only coming across TROJ_AGENT.CBW found in C:\WINDOWS\system32\wingdm32.dll. While I have downloaded several free trial virus checkers this past week, I have uninstalled them all and currently only running my usual Trend Micro PC-cillin Internet Security 2005. I also have my system restore turned off (several guides said to) and haven't currently turned it back on. Also I have gone in thru msconfig already and have unchecked anything that seems unrecognizable which probably wont show up on this log. Should I check them all then run this log again?

Thanks in advance for your help and thanks to you all for all the great guides you offer here!

Please click Start > Run and type in: services.mscClick OKIn the Services window find: msagent (msagent) Select/highlight and right click the entry, and choose: PropertiesOn the General tab, under Service Status click the Stop buttonBeside: Startup Type, in the drop menu, select: DisabledClick Apply, then OK

Now, go to Start > Run, and copy/paste the following into the Open box:sc delete msagentClick: OK

Select "Delete on Reboot".Place the following line (complete path) in bold in the "Full Path of File to Delete" box in Killbox:C:\WINDOWS\SYSTEM32\wingdm32.dllPut a mark next to "Delete on Reboot"Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.If your computer does not restart automatically, please restart it manually.

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Click on Change state next to Resident shield. It should now change to inactive.

Next to Last Update, click on Update now. (You will need an active internet connection to perform this)

Wait until you see the Update succesfull message.Note: If the Update now option is grayed out, follow the steps below.

Click on Update on the toolbar.

Under Manual update, click on the Start Update button.

Wait until you see the Update succesfull message.

[*]Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.[/list]If you are having problems with the updater, you can use this link to manually update ewido.Ewido manual updates.Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that Ewido is closed before installing the update.

Double-click ATF-Cleaner.exe to run the program.Under Main choose: Select AllClick the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All Click the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All Click the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit to close ATF-Cleaner.[/list]Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.______________________________

Close ALL open Windows / Programs / Folders. Please start Ewido and run a full scan.

Click on Scanner on the toolbar.

Click on the Settings tab.

Under How to act?

Click on Recommended Action and choose Quarantine from the popup menu.

Under How to scan?

All checkboxes should be ticked.

Under Possibly unwanted software:

All checkboxes should be ticked.

Under Reports:

Select Automatically generate report after every scan and uncheck Only if threats were found.

Under What to scan?

Select Scan every file.

Click on the Scan tab.

Click on Complete System Scan to start the scan process.

Let the program scan the machine.

When the scan has finished, follow the instructions below.IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.

Make sure that Set all elements to: shows Quarantine(1), if not click on the link and choose Quarantine from the popup menu. (2)

At the bottom of the window click on the Apply all Actions button. (3)

I never saw that "make hosts writable" although it looked to me as if it opened up writable to begin with.

Other than that I think it all work out as you said, although when I first ran hijack this to check the few boxes you mentioned I got some kind of error message. I repeated your instructions a second time and didnt get the error message. Just let me know where to go next oh fearless leader!

I am currently at work and saw your reply. Just a quick note, I no longer use Thunderbird at all. I remember using it for a brief time but preferred outlook express. I thought I had uninstalled it? If it is still there I'm not too sure if I can still log onto it (if a password is required it may prove impossible). If you want to wipe Thunderbird away completely thats fine by me.